A network
namespace is logically another copy of the network stack,
with its own routes, firewall rules, and network
devices.

By default a
process inherits its network namespace from its parent.
Initially all the processes share the same default network
namespace from the init process.

By convention a
named network namespace is an object at
/var/run/netns/NAME that can be opened. The file
descriptor resulting from opening /var/run/netns/NAME
refers to the specified network namespace. Holding that file
descriptor open keeps the network namespace alive. The file
descriptor can be used with the setns(2) system call
to change the network namespace associated with a task.

For
applications that are aware of network namespaces, the
convention is to look for global network configuration files
first in /etc/netns/NAME/ then in
/etc/. For example, if you want a different version
of /etc/resolv.conf for a network namespace used to
isolate your vpn you would name it
/etc/netns/myvpn/resolv.conf.

ip netns
exec automates handling of this configuration, file
convention for network namespace unaware applications, by
creating a mount namespace and bind mounting all of the per
network namespace configure files into their traditional
location in /etc.
ip netns list - show all of the named network
namespaces

This command
displays all of the network namespaces in /var/run/netns

ip netns add NAME - create a
new named network namespace

If NAME is
available in /var/run/netns/ this command creates a new
network namespace and assigns NAME.

ip [-all] netns delete [
NAME ] - delete the name of a network
namespace(s)

If NAME is
present in /var/run/netns it is umounted and the mount point
is removed. If this is the last user of the network
namespace the network namespace will be freed and all
physical devices will be moved to the default one, otherwise
the network namespace persists until it has no more users.
ip netns delete may fail if the mount point is in use in
another mount namespace.

If -all
option was specified then all the network namespace names
will be removed.

It is possible
to lose the physical device when it was moved to netns and
then this netns was deleted with a running process:

and eth0 will
appear in the default netns only after
SOME_PROCESS_IN_BACKGROUND will exit or will be killed. To
prevent this the processes running in net0 should be killed
before deleting the netns:

$ ip netns pids
net0 | xargs kill
$ ip netns del net0

ip netns set NAME NETNSID -
assign an id to a peer network namespace

This command
assigns a id to a peer network namespace. This id is valid
only in the current network namespace. If the keyword
"auto" is specified an available nsid will be
chosen. This id will be used by the kernel in some netlink
messages. If no id is assigned when the kernel needs it, it
will be automatically assigned by the kernel. Once it is
assigned, it’s not possible to change it.

ip netns identify [PID] -
Report network namespaces names for process

This command
walks through /var/run/netns and finds all the network
namespace names for network namespace of the specified
process, if PID is not specified then the current process
will be used.

ip netns pids NAME - Report
processes in the named network namespace

This command
walks through proc and finds all of the process who have the
named network namespace as their primary network
namespace.

This command
allows applications that are network namespace unaware to be
run in something other than the default network namespace
with all of the configuration for the specified network
namespace appearing in the customary global locations. A
network namespace and bind mounts are used to move files
from their network namespace specific location to their
default locations without affecting other processes.

If -all
option was specified then cmd will be executed
synchronously on the each named network namespace even if
cmd fails on some of them. Network namespace name is
printed on each cmd executing.

This command
watches network namespace name addition and deletion events
and prints a line for each event it sees.

ip netns list-id - list
network namespace ids (nsid)

Network
namespace ids are used to identify a peer network namespace.
This command displays nsid of the current network namespace
and provides the corresponding iproute2 netns name (from
/var/run/netns) if any.